fbpx

On-Requirement SCIM provisioning of Azure AD to AWS SSO with PowerShell

In this post, I’ll demonstrate ways to work with a PowerShell script to initiate an on-demand synchronization between Azure Energetic Directory and AWS Single Sign-On (AWS SSO) and steer clear of the default 40-moment synchronization plan between both identity providers. This remedy helps enterprises synchronize adjustments designed to users quickly, organizations, or permissions within Azure Advertisement with AWS SSO. This enables user or permission changes to be reflected in associated AWS accounts quickly.

Prerequisites

You need the next to perform this session:

This post targets the steps had a need to create the on-demand sync solution. You will discover specifics on how best to set up and make use of PowerShell and the Azure PowerShell modules at Installing Azure PowerShell.

Figure 1: Triggering the SCIM Endpoint to sync all customers and groupsBody 1: Triggering the SCIM Endpoint to sync all customers and groups

Grant permission to the Graph API to gain access to the Default Directory within Azure AD

To begin with, grant the permissions necessary for the application to possess usage of the directory endpoint.

To grant permissions

  1. Sign into the Azure Portal and demand Azure Advertisement dashboard.
  2. From the left routing pane, select App registrations. In the event that you don’t see the application listed, choose the All apps tab.
    For this example, I’m utilizing an application named AWS.

    Figure 2: Choose the AWS app sign up

    Figure 2: Choose the AWS app sign up

  3. Choose API permissions from the navigation pane.
  4. Choose the Add a permission option.
    Figure 3: Choose the Include API permission Figure 3: Choose the Include API permission
  5. From the configurations page that opens, pick the Microsoft Graph option.

    Body 4: Demand API permissions

    Figure 4: Ask for API permissions

    Under What kind of permissions does the application require, select Delegated permissions and enter directory.readwrite.all within the permissions search industry. Select Directory.ReadWrite.All and choose Include permissions in the bottom of the page.

    Body 5: Demand API permissions - Include permissionsFigure 5: Demand API permissions – Include permissions
  6. On the API permissions web page, choose Grant admin consent for Default Directory and choose Yes.
    Figure 6: Grant permission for the accounts to possess administrator permissionsDetermine 6: Grant permission for the account to possess administrator permissions

Create a key and certificate to gain access to the application

To get started, develop a key and certificate which grants protected usage of the AWS application.

To create a key

and certificate

  1. Choose Certificate & secrets from the left routing menu and choose New customer secret.

    Body 7: Developing a client key for 12 months

    Figure 7: Developing a client secret for 1 year

  2. Select the desired amount of the certificate.
  3. Provide a explanation and choose Add.
    1. Copy the worthiness of the certificate that’s generated and conserve it to utilize later in this technique.
    2. After you’ve saved the worthiness to use afterwards, select Home from the very best still left corner of the screen.

    Body 8: Be sure you click Duplicate to clipboard to shop the value of the trick

    Figure 8: Be sure you click Duplicate to clipboard to shop the worthiness of the key

Create a consumer with permissions to perform the code

Given that you’ve given the application usage of the directory, let’s develop a consumer and assign the correct permissions to perform the code.

To develop a user and assign permissions

  1. Choose Azure Active Directory from the Azure services checklist.
  2. Choose Users and choose New user. The User title, First title, and Final name areas are needed. In this illustration, I set the User name and First title to Auth and the Final name to User.

    1. Take take note of the password that’s set because of this user and conserve it to utilize later.
    2. As soon as completed, choose Create.
    Body 9: Develop a user within Azure ADFigure 9: Develop a user within Azure AD
  3. Select the developed user from the listing newly.
    1. On the remaining navigation pane, select Assigned roles.
    2. Choose Add assignments.
    3. Choose Hybrid identity administrator and choose Add.
    Figure 10: Assign an individual the role to bring about the APIFigure 10: Assign an individual the role to bring about the API
  4. Select Default Directory from the very best of the routing pane.
    1. Choose Business applications.
    2. Select the AWS software.
    3. Select Assign users and groupings.

    Figure 11: Azure Enterprise apps - Assign users and groupings

    Figure 11: Azure Business applications – Assign customers and groups

  5. Choose + Add user near the top of the window.
    1. Select an individual you created previously. I select Auth as that has been an individual I created previously.
    2. Choose Select and Assign.
    Figure 12: Choose the consumer we created previously from Body 9Figure 12: Choose the user we made earlier from Physique 9

    Figure 13: Assign an individual to the application form

    Figure 13: Assign an individual to the program

  6. Today that you’ve added an individual, you can view that an individual is assigned to the application form.

    Figure 14: Screen now displaying that an individual has been assigned to the application form

    Figure 14: Screen now displaying that an individual has been assigned to the app

  7. It’s recommended to get on the Azure portal because the user you merely created in a fresh incognito or private internet browser session. Within the first sign in, you’ll end up being prompted to improve the password.

Prerequisites to induce the SCIM endpoint

You need the next what to run the PowerShell program code that creates the endpoint.

  1. From the application form registration, retrieve the things shown below. Remember that the client can be used by you key saved earlier once the certificate was created.
    • Tenant ID
    • Display name
    • Application ID
    • Client secret
    • User name
    • Password
  2. Copy the things to a notepad in the preceding order so that you can enter every one of them through a single duplicate and paste activity while working the script.
  3. From the menus, select Azure Energetic Directory.
  4. Choose App registrations and choose the AWS App that has been set up.
  5. Copy the Application (client) ID and the Directory (tenant) ID.
Figure 15: App sign up contains every item necessary for the PowerShell scriptFigure 15: App sign up contains every item necessary for the PowerShell script

Result in the SCIM endpoint with PowerShell

Given that you’ve completed all the previous steps, you should copy the program code from the GitHub repository to your neighborhood machine and run it. We’ve configured the program code to manually run, but you may also automate it to result in an Azure Automation runbook when customers are put into Azure through Alerts. You can even configure CloudWatch Activities to perform a Lambda perform at periodic intervals.

To bring about the SCIM endpoint

  1. Copy the program code from the GitHub repository.
  2. Save the code utilizing the code editor of one’s choice, or it is possible to download Visual Studio Code. Supply the document a user-friendly title, such as for example Sync.ps1.
  3. Navigate to the positioning where you saved the file and operate./sync.ps1.
  4. When prompted, enter the ideals from the notepad. It is possible to paste these all at once so you need to copy and paste every individual item don’t.

    Note: When copying and pasting within Windows, pick the PowerShell icon, Edit &gt then; Paste.

    Figure 16: Windows Order Prompt - Choose Paste to duplicate all items had a need to bring about the syncFigure 16: Windows Order Prompt – Choose Paste to duplicate all items had a need to induce the sync

Once you paste the values in to the PowerShell window, the script sometimes appears by you input as shown in the next screenshot. Your client password and secret are secure values and so are masked for security purposes.

Figure 17: PowerShell script with input values pasted within

Figure 17: PowerShell script with input ideals pasted in

Following the job has were only available in PowerShell, two text messages are displayed. One indicating that synchronization is beginning and a following information when synchronization has finished. Both are demonstrated in the next figure.

Number 18: Output from the successful operate of the PowerShell scriptNumber 18: Output from the successful operate of the PowerShell script

See the synchronization standing and logs

To verify that the operating job ran successfully, you can examine the completed period from the Azure portal. It is possible to verify the proper time the script ran by viewing the completion time together with the current status.

To view the position and logs

  1. From the menus, choose Azure Energetic Directory.
  2. Choose Enterprise applications and choose the AWS App.
  3. From the still left navigation menus, choose Provisioning and choose Look at provisioning information. This shows the last period the sync completed.

    Figure 19: Look at the Provisioning information regarding the work

    Figure 19: Watch the Provisioning information regarding the job

Summary

In this article, I demonstrate ways to work with a PowerShell script to trigger the SCIM endpoint to on-demand synchronize Azure AD with AWS Single Sign-On. You can get the program code in this GitHub repository and utilize it to synchronize user and team changes on demand.

For those who have feedback concerning this post, submit remarks in the Comments section below.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.

Writer

Aidan Keane

Aidan is really a Senior Technical Accounts Manager for AWS Business Support. He’s got been dealing with Cloud technology for a lot more than 5 yrs. Outside of technology, he could be a sports activities enthusiast who enjoys golfing, biking, and viewing Liverpool FC. He spends his leisure time with his loved ones and enjoys planing a trip to South and Ireland The united states.

%d bloggers like this: